Entrusting the processing of personal data

This Agreement is an agreement for the processing of personal data within the meaning of Article 28 paragraph 3 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the “GDPR”).

The provisions of this Agreement also apply if the Client is an entity processing personal data on behalf of its clients and entrusts it for processing to the Service Provider, who in such a case will be considered a sub-processor.

The provisions of this Agreement do not apply to the processing of personal data by the Service Provider, which it processes independently, in accordance with applicable law, as a personal data controller, regardless of this Agreement, even in situations where the personal data processed by the Service Provider as a controller overlaps, in whole or in part, with the personal data entrusted to the Service Provider under the Agreement. Detailed information regarding the processing of personal data of Customers and Users invited to use the Business Customer Account in the GoTacho Application by the Service Provider as a personal data controller is included in the document: “Privacy Information for Customers and Users Using the GoTacho Business Account.”

The provisions of this Agreement do not apply to Customers who use from Private Accounts.

Subject of processing

The subject of processing under this Agreement covers the Personal Data specified below (hereinafter referred to as “Personal Data” or “Data”).

Users invited to use the Business Client Account who have activated it Profile,

any other categories of persons whose data will be transferred in connection with the use from the Application (e.g. drivers whose data is processed in the Application and who have not been invited to use the Customer Account).

Data of the invited User: e-mail address, first name, last name and other data, if the Client or User adds them in the User Profile in the Corporate Client Account.

Any personal data contained in the data added or documents sent, including, in particular:

data contained in files and documents imported into the Application,

data on drivers’ activity,

about personal data contained in drivers’ documents,

data related to business trips,

data regarding infringements,

data contained in alerts,

in the case of adding information about the driver’s medical/psychological certificate – also data within the scope of sensitive data concerning the driver’s health condition.

Any other types of personal data provided in connection with the use of the Application.

collecting,

recording,

organizing,

structuring,

storing, adapting or modifying,

downloading,

viewing,

using,

disclosing by transmission,

disseminating or otherwise making available,

matching or combining,

deleting or destroying.

Entrusting personal data to the Processor for the purpose of implementing the subject matter of the Main Agreement in the scope of:

providing the Services referred to in the Terms and Conditions of Use of the GoTacho Application, including in particular:

automatic downloading and processing of files from digital tachographs and cards drivers,

calculation and generation of working time records, payroll reports, infringement reports and other documents required by labor law and road transport regulations,

secure, remote transmission, storage and archiving of this data in the cloud,

presentation of results in web and mobile interfaces and their export to files/APIs,

maintaining the Profile of the User invited to use the Customer Account Corporate.

Data processed in the IT systems of the Processor, in a manner automated.

The nature of personal data processing is continuous throughout the duration of the Agreement Main.

Method of data processing

To the extent this Agreement applies, the Processor shall only process Personal Data on the Client’s documented instructions, unless required by Union or Member State law. A documented instruction shall be deemed to be the Master Agreement, including any instruction given by the Client to the Processor under the Master Agreement in the form of a written or electronic instruction provided by the Client to the Processor (“Instruction”).

Additional Instructions beyond the Client Instructions contained in the Main Agreement require prior written or electronic agreement between the Service Provider and the Client, including agreement on any additional fees payable by the Client to the Service Provider for carrying out such instructions.

If the Processor has any doubts as to the legality of the Order, including its compliance with personal data protection regulations, it should immediately inform the Client, who will verify the correctness of the ordered processing.

Taking into account the state of the art, the cost of implementation, the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity of violations of the rights and freedoms of natural persons, the Processor is obligated to implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk. The current list of measures referred to in the preceding sentence, applied by the Processor in relation to the Personal Data entrusted to it under this Agreement, can be found on the Service Provider’s website: https://docs.gotacho.com/pl/regulations/privacy/entrustment_agreement/toms . Due to technical and organizational developments, the Processor has the right to implement alternative, adequate Personal Data security measures, provided that this does not result in a reduction in the level of Personal Data security provided by these measures. Updates to the list of Personal Data security measures do not constitute an amendment to this Agreement.

The Processor may demonstrate compliance with the obligations set out in point 3.4 above, in particular by applying an approved code of conduct referred to in Article 40 of the GDPR or an approved certification mechanism referred to in Article 42 of the GDPR.

The Processor undertakes that only authorized persons obligated to keep Personal Data confidential will be permitted to process Personal Data.

The Processor undertakes to keep confidential all information and Personal Data to which it has access in connection with the performance of the Main Agreement, unless it is obliged to disclose them under applicable law. If the Processor is required, under applicable law, to disclose Personal Data entrusted for processing, it will immediately notify the Client thereof, unless it is prevented from doing so under the applicable law.

Taking into account the nature of the processing of Personal Data, to the extent possible, the Processor shall assist the Client, through appropriate technical and organisational measures, in fulfilling the obligation to respond to requests from the data subject in the exercise of his or her rights set out in Chapter III of the GDPR.

Reporting violations

The Processor shall immediately notify the Client of any breach of Personal Data protection occurring on the part of the Processor and, if possible, shall take the necessary measures to minimize any possible negative effects of such a breach.

The Processor will submit the notification referred to in point 4.1 above to the e-mail address provided by the Account Owner in the Customer Account.

Consent to sub-entrustment

The Client expresses general consent to the Processor to further entrust Personal Data to subprocessors to the extent and for the purpose necessary to perform the subject matter of the Main Agreement.

The current list of sub-processors is available on the website: https://docs.gotacho.com/pl/regulations/privacy/entrustment_agreement/list_of_other_processors .

The Processor is obliged to inform the Client of any intended changes concerning the addition or replacement of further processors before the actual commencement of using the services of these entities, thereby giving the Client the opportunity to object to such planned changes, with the period for the Client to file an objection being 14 days from the date of notification by the Processor to the Client of the planned changes concerning the addition or replacement of further processors.

Failure to raise an objection within the above deadline, in accordance with the requirements referred to above, will be deemed a lack of objection on the part of the Client. In the event of an objection, the Client is obligated to submit it in writing (including electronically), under pain of invalidity. The justification should include, in particular, information about the specific technical and organizational measures used by the subprocessor that do not provide sufficient guarantees of compliance with the GDPR requirements and the basis for the Client’s request, including, in particular, whether the basis was an audit conducted at the subprocessor, a personal data breach was discovered by the subprocessor, or the subprocessor was penalized by a supervisory authority within the meaning of the GDPR.

If the Customer expresses a justified objection to the changes concerning the addition or replacement of further processors, in accordance with the requirements referred to above, the Customer shall be entitled to resign from the Services provided under the Main Agreement on the terms described in the Main Agreement.

The Client will be notified of any intended changes concerning the addition or replacement of other processors by the Processor, referred to in point 5.3 above, by updating the list of subprocessors available on the Processor’s website and by means of information sent electronically to the e-mail address provided by the Client in their Client Account.

The agreement concluded by the Processor with the sub-processor will impose on the sub-processor the same obligations to protect Personal Data as this Agreement imposes on the Processor, in particular the obligation to provide sufficient guarantees for the implementation appropriate technical and organisational measures to ensure that processing complies with applicable law.

If a sub-processor fails to fulfil its obligations to protect Personal Data, the Processor shall remain fully liable to the Client for the fulfilment of the sub-processor’s obligations.

Principles of cooperation in the implementation of the obligations specified in Articles 32-36 of the GDPR

Taking into account the nature of the processing of the Personal Data entrusted and the information available to the Processor, the Processor is obliged to support the Client, as the controller of personal data, in fulfilling the obligations specified in Articles 32-36 of the GDPR. If the support requested by the Client, as described above, exceeds standard support in the Processor’s opinion, the Processor has the right to charge an additional fee for such services. The Processor will inform the Client of the fee amount and estimated timeframe before commencing the provision of additional support, which will be provided after the Client accepts the terms and conditions.

Cooperation in the implementation of the rights of data subjects

Taking into account the nature of the processing of the Personal Data entrusted and the information available to the Processor, the Processor is obliged to support the Client, as the controller of personal data, in fulfilling the obligations specified in Articles 32-36 of the GDPR. If the support requested by the Client, as described above, exceeds standard support in the Processor’s opinion, the Processor has the right to charge an additional fee for such services. The Processor will inform the Client of the fee amount and estimated timeframe before commencing the provision of additional support, which will be provided after the Client accepts the terms and conditions.

Transfer of Data to a Third Country

The Service Provider is entitled to use subprocessors based outside the EEA to process Personal Data as part of the performance of the Main Agreement, provided that the requirements of Article 45 or 46 of the GDPR are met.

If the provision of Services under the Main Agreement requires the transfer of Personal Data to a third country, in particular in connection with the provision of server-based services, the Service Provider will ensure that such transfer will be carried out in accordance with Articles 45-46 of the GDPR, and that appropriate safeguards referred to in the GDPR will be adopted for such transfer. The transfers referred to above are deemed to constitute the execution of a documented Customer Order issued under the Main Agreement.

In the case referred to in points 8.1 and 8.2 above, the Service Provider will provide the Client, upon each documented request, with information on the transfer of Data to a third country and, where applicable, on the application of appropriate safeguards referred to in Article 46 GDPR.

Audit

The Processor shall provide the Client with all information necessary to demonstrate compliance with the obligations incumbent on the Processor and shall enable the Client or auditors authorized by the Client to conduct audits, cooperating in verification and corrective actions.

The frequency of the audits referred to in point 9.1. should not exceed once every 12 months, unless a breach of Personal Data protection has occurred at the Processor, as determined by a supervisory authority within the meaning of the GDPR.

The Client shall inform the Processor of a planned audit or inspection at least 30 days in advance, simultaneously indicating the persons authorized by the Client to conduct the inspection or audit, in order for the Parties to jointly determine the date and schedule of the audit.

The commencement of the audit will be dependent on the conclusion of appropriate agreements by the Parties.

Inspections may be performed by individuals designated by the Client on business days during the Processor’s business hours. Individuals designated by the Client are entitled to request information from the Processor regarding the processing of Personal Data by the Processor.

Persons appointed by the Client to conduct the audit may not conduct activities that compete with the Processor’s activities or be employed under an employment contract or civil law contract by an entity conducting such activities.

Subject to the paragraph below, any audits conducted by or on behalf of the Client will be at the Client’s expense. The Processor shall provide reasonable assistance to conduct the audit at no additional cost to the Client.

For the time the Client spends on an audit with the Processor exceeding two man-hours, the Processor is entitled to remuneration, the amount of which will be communicated to the Client prior to the commencement of the planned audit. The remuneration will be calculated on an hourly basis, taking into account the costs incurred by the Service Provider in connection with the involvement of its team members in conducting the audit.

Liability of the Processor for processing of Personal Data inconsistent with the Agreement

The Processor’s liability towards the Client for any claims, damages, liabilities, losses or costs related to the breach of this Agreement or resulting from the unlawful processing of Personal Data by the Processor shall be limited to the amount of the total fees paid by the Client to the Processor for the performance of the Services under the Main Agreement in the period of 6 months preceding the event that gave rise to the claim.

Duration of processing of Personal Data by the Processor

The Agreement was concluded for the duration of the Main Agreement.

From the date of termination or expiration of the Main Agreement, the Processor, depending on the Client’s decision, shall delete or return to the Client the Personal Data that were the subject of the entrustment and delete all existing copies thereof, unless Union law or the law of a Member State requires the storage of the Personal Data.

The provisions of this Agreement shall apply after the termination of cooperation and shall remain in force until all Personal Data entrusted by the Client are completely deleted or returned to the Client.

Final provisions

The Agreement shall enter into force on the date of conclusion of the Main Agreement.

In the event of a conflict between the provisions of the Agreement and the provisions of the Main Agreement, the provisions of the Agreement shall prevail.

This Agreement supersedes any other agreements between the Parties regarding the processing and protection of Personal Data processed in connection with the performance of the Main Agreement.

Changes and additions to the Agreement may be made in a manner analogous to changes to the terms of the Agreement.

If any provision of the Agreement is deemed invalid or legally defective, the remaining provisions shall remain in force to the fullest extent permitted by law.

All matters not expressly regulated in the Agreement shall be governed by the relevant provisions of law, in particular the GDPR and other provisions on personal data protection.

Disputes arising between the Parties in connection with the Agreement will be resolved by the court having jurisdiction over the registered office of the Processor.